Page 1 of 1

Man in the middle

Posted: Tue Dec 29, 2009 9:56 pm
by ramblin54321
Greetings web programmers,
please forgive my ignorance but I really don't understand man in the middle attacks at all except that there are many packet sniffers readily available. Please I would greatly appreciate if some of you will more than just clue me in but actually spell it out for me very simply and clearly - how does a man in the middle attack work, and how is it prevented exactly.

1. How does he get the packets? Thousands checked for i.p. address or what?

2. What does he do with the packets? Copy and insert his from address or modify the original to be from him or are both possible or something else?

3. What about return packets? The incoming sniffed packets could yield a login for use in the future but won't be needed for a current session if the MITM can get all of the output being sent to the logged in user? If the whole web page being sent back was encrypted, how does the user decipher it without a server as in php and javascript on the user's machine?

4. SSL and certificates I read are to identify and prevent a fake web page from getting the real logins, what prevents the certificates from being copied? If SSL is just encryption that is decrypted by the server, what prevents the MITM from getting authenticated by sending the same encrypted packets? I read that the server is expecting a certain number of bytes such as what a password would have, can the same be done without SSL? How does the server know the amount of bytes to expect since it does not know the user's i.p. address?

5. If I use a cookie to verify my user's session, what prevents a MITM sniffer from obtaining the cookie?

6. As if looking at my user's data coming and going weren't bad enough, how do I keep the MITM from altering packets or stealing logins or sessions with the purpose of changing my user's data on the server?

Re: Man in the middle

Posted: Wed Dec 30, 2009 6:23 am
by kaisellgren
There is no specific MITM attack. If we are talking about active network attacks then one simple example is where two persons are using the same router, and one uses ARP poisoning to get other's packets, modifies them, and resends them to where they should have gone. In this case (at least), you need to understand how networks work and learn some low level programming language to build a tool (or find one). With passive network attacks it gets as easy as connecting to a public WiFi and reading the packets. However, you are asking in the wrong forums, being a MITM has nothing to do with PHP.
ramblin54321 wrote:and how is it prevented exactly.
Use SSL/TLS to encrypt network traffic. It's an end-to-end encryption.
ramblin54321 wrote:2. What does he do with the packets? Copy and insert his from address or modify the original to be from him or are both possible or something else?
If he is capable of modifying the packets, in real time, he could do whatever he wants to. He could rewrite the whole page you see. This could be used for plenty of malicious actions: advertising, spamming, defacement, humiliation (e.g. showing nasty photos of Gods to religious people), gaining user's CC and other sensitive details. If it's a passive network attack, there's no confidentiality like in the case of active network attacks and all information what the user (or the server) sees is seen by the attacker, too. If he wants, he could also use a session identifier to get into a user's account if such thing is applicable. In case of active network attacks, the attacker is impersonating someone (or something), so, the damage can be catastrophic.
ramblin54321 wrote:how does the user decipher it without a server as in php and javascript on the user's machine?
If you use SSL/TLS, you don't need to think about the encryption, it will be handled by the web browser (the client) and the web server.
ramblin54321 wrote:4. SSL and certificates I read are to identify and prevent a fake web page from getting the real logins, what prevents the certificates from being copied? If SSL is just encryption that is decrypted by the server, what prevents the MITM from getting authenticated by sending the same encrypted packets? I read that the server is expecting a certain number of bytes such as what a password would have, can the same be done without SSL? How does the server know the amount of bytes to expect since it does not know the user's i.p. address?
SSL/TLS encrypts the connection, as you realized, and certificates provide information such as the target domain known as the "Common Name" (let's say paypal.com as an example when you connect to their site). Then there are Certificate Authorities (http://en.wikipedia.org/wiki/Certificate_authority) who sign the certificate (when buying the SSL certificate) to make sure no one can tamper the certificate. Web browsers have a list of CAs. For example, in Chrome I can find them from Options->Under the hood->Certificates->Trusted Root Certification Authorities. All those CAs are trusted by Chrome.

In order to understand how the authentication is done, you need to understand cryptography, asymmetric encryption to be more specific. Simply put, the web browser and the server will go through a process known as "the handshake" before sending any other site relevant details. It goes like this (put very simply):

1) The client and the server agrees upon using some cipher and SSL version and they setup a session.
2) The server sends the client its certificate along with random data.
3) The client checks the certificate validity, creates random data and sends them to the server encrypted using the server's public key (from the certificate).
4) The server decrypts the message with its private key to get the client's random data.
5) The client sends a "finished" message that has the server's random data encrypted.
6) The server sends a "finished" message that has the client's random data encrypted.

Now that they both know that it's all finished, they can communicate with the shared secret as long as the session is valid.
ramblin54321 wrote:5. If I use a cookie to verify my user's session, what prevents a MITM sniffer from obtaining the cookie?
The use of SSL/TLS.
ramblin54321 wrote:6. As if looking at my user's data coming and going weren't bad enough, how do I keep the MITM from altering packets or stealing logins or sessions with the purpose of changing my user's data on the server?
Same as the above.